Privacy Policy
As of: 28 June 2026 · Version v1.5
English translation for convenience. The German version at /datenschutz is the legally binding text.
1. Short version
- Your voice never leaves your Mac. All speech-to-text runs on-device.
- AI modes are opt-in. Only when you choose Prompt or Agent Mode does the resulting text go to an AI service. Audio is never sent.
- Account data lives in Stripe and Supabase. Only what is needed to sell you a subscription and let you sign in.
- History is local. Transcripts and audio recordings stay on your Mac and are auto-deleted after 30 days.
2. Data controller under GDPR
The controller under the General Data Protection Regulation (GDPR) and other data protection laws is:
Marcel Porcher
Newways
Rabestraße 6
10405 Berlin, Germany
VAT ID: DE344920245
Email: marcel@newways.ai
3. Data Protection Officer
We are not required to appoint a Data Protection Officer under Art. 37 GDPR and § 38 BDSG (sole proprietor, no regular large-scale processing of special categories). Direct your privacy requests to marcel@newways.ai.
4. Legal bases and retention
Legal bases under Art. 6 GDPR
- Art. 6(1)(a) (consent): newsletter, lead magnets, Instagram DM automation, marketing emails
- Art. 6(1)(b) (contract performance): app delivery, account, Pro subscription via Stripe
- Art. 6(1)(c) (legal obligation): retention of tax-relevant records
- Art. 6(1)(f) (legitimate interest): hosting logs, Trustpilot widget, external links, update checks
Legitimate interest balancing
For processing based on legitimate interests, we conduct a written balancing test. We provide this documentation to the supervisory authority on request.
Retention per data category
| Data category | Retention | Legal basis |
|---|---|---|
| Hosting logs (IP, user agent) | 30 days | Art. 6(1)(f) |
| Newsletter / lead-magnet emails | until withdrawal + 1 month | Art. 6(1)(a) |
| Supabase account data | as long as account exists | Art. 6(1)(b) |
| Stripe payment records | 10 years (German GoBD / § 147 AO) | Art. 6(1)(c) |
| Local transcripts and audio | 30 days, auto-deleted | local, no transmission |
| AI requests at provider | per provider policy (e.g. Google ~24h abuse cache) | Art. 6(1)(b) |
| Email correspondence | 3 years after case closure | Art. 6(1)(b)/(f) |
5. Your rights
As a data subject you have the right at any time to:
- access (Art. 15 GDPR)
- rectification (Art. 16 GDPR)
- erasure / „right to be forgotten" (Art. 17 GDPR)
- restriction of processing (Art. 18 GDPR)
- data portability (Art. 20 GDPR)
- object to processing (Art. 21 GDPR)
- withdraw consent (Art. 7(3) GDPR)
- lodge a complaint with a supervisory authority
To exercise these rights, a simple message to marcel@newways.ai is enough. We respond within 30 days.
Right to object to direct marketing (Art. 21)
You can object at any time to processing of your data for direct marketing — via the unsubscribe link in every email or by message to marcel@newways.ai.
Competent supervisory authority
Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI)
Friedrichstr. 219, 10969 Berlin, Germany
Phone: +49 (0)30 13889-0
Email: mailbox@datenschutz-berlin.de
Web: datenschutz-berlin.de
6. Automated decision-making (Art. 22 GDPR)
We do not use any automated decision-making under Art. 22 GDPR. Voiceit does not make legally binding or similarly significant decisions about you. The AI modes assist you with dictation and text refinement; you see every AI output before it is inserted.
7. Website hosting
We host our website with the following provider:
Vercel Inc., 440 N Barranca Ave #4133, Covina, CA 91723, USA
On access, Vercel automatically collects and stores information in server log files (IP address, browser type, operating system, referrer URL, time of access). This data serves the technically error-free delivery. Legal basis: Art. 6(1)(f) GDPR.
USA transfer: safeguarded by EU Standard Contractual Clauses (SCC) and the EU-U.S. Data Privacy Framework (DPF). As of May 2026 the DPF is valid but under challenge at the CJEU.
Sub-processors: Vercel uses Amazon Web Services, Microsoft Azure, and Google Cloud Platform as underlying infrastructure.
A data processing agreement (Art. 28 GDPR) exists with Vercel. Details: vercel.com/legal/privacy-policy.
8. Local Storage and Cookies (TTDSG § 25)
This website uses only technically necessary local storage entries:
voiceit-theme— stores your theme preference (light/dark)
Legal basis: TTDSG § 25(2)(2) (strictly necessary, no consent required) in conjunction with Art. 6(1)(f) GDPR.
No tracking cookies, analytics, or marketing cookies are used. No cookie banner.
9. Sub-processors
The following table lists every sub-processor to whom personal data may be transferred. A data processing agreement (Art. 28 GDPR) or equivalent is in place with every provider that processes personal data on our behalf.
| Provider | Location | Function | Data | Transfer mechanism | Privacy |
|---|---|---|---|---|---|
| Vercel Inc. | USA | Website hosting | IP, logs | DPF + SCC | Link |
| Supabase Pte. Ltd. | EU (Ireland, eu-west-1) | Account, license check, app backend | Email, device ID | EU hosting, US parent (Supabase Inc., Delaware) — DPF + SCC | Link |
| Stripe, Inc. | USA + EU + UK | Subscription payment | Name, address, card/bank data, tax info | DPF + SCC + UK Adequacy | Link |
| Google Cloud EMEA Ltd | Ireland / Frankfurt, DE | AI model Gemini via Vertex AI (Prompt/Agent Mode) | Transcribed text (opt-in) | EU-internal (europe-west3) | Cloud DPA |
| Brevo (Sendinblue GmbH) | Berlin | Newsletter, lead-magnet emails | Email, name | EU-internal | Link |
| Newways lead-magnet service (self-hosted) | Frankfurt, Germany | Instagram comment-to-DM automation | IG handle, DM content (lead-magnet links) | EU-internal (Hostinger Frankfurt) | Hostinger DPA |
| WhatsApp Ireland Ltd. (Meta) | Ireland / USA | Contact link | Metadata on click | DPF + SCC | Link |
| Skool Inc. | USA | Community link | Click metadata | DPF + SCC | Link |
| Trustpilot A/S | Denmark | Reviews widget | IP on widget load | EU-internal | Link |
| GitHub Inc. (Microsoft) | USA | Release distribution + update polling (every 30 min) | IP on download / polling | DPF + SCC + Microsoft DPA | Link |
| Google Workspace | USA | Business email marcel@newways.ai | Email content, recipient metadata | DPF + SCC | DPA |
| Apple Inc. (Sign-in with Apple — currently disabled) | USA / EU | Optional OAuth sign-in | Apple user ID, email | DPF + Apple standards | Link |
| Google LLC (Sign-in with Google — currently disabled) | USA | Optional OAuth sign-in | Google user ID, email, name | DPF + SCC | Link |
Note on US parent companies (CLOUD Act). Some sub-processors listed above (Google Cloud EMEA Ltd, Supabase Pte. Ltd., Stripe, Vercel, GitHub) belong to groups with a US parent. The US CLOUD Act in principle allows US authorities to request data even when it is stored physically in the EU. We actively reduce this risk: audio recordings never leave your device. Only transcribed text is sent in AI modes to Vertex AI in Frankfurt. For account and payment data we rely on EU hosting plus EU Standard Contractual Clauses and the EU-US Data Privacy Framework. The framework's status is being monitored through pending CJEU proceedings (Schrems III) — should it fall, we will inform you proactively and switch to SCCs plus a Transfer Impact Assessment.
Supabase DPA: signed on 2026-05-25 (Document Ref: WQJGP-LPPWT-HOCVQ-FZYVT, Part 2 dated August 5, 2025). Annexes EU Standard Contractual Clauses (Commission Decision 2021/914).
10. AI processing (AI Act Art. 50)
Voiceit uses a local voice model on your Mac. Voice recordings are never transmitted to external providers.
In addition, you can optionally activate Prompt Mode or Agent Mode. The locally transcribed text (not audio) is then forwarded through our Supabase Edge Function to an AI provider for refinement or transformation.
Routing: Supabase Edge Function → Google Cloud Vertex AI (europe-west3 Frankfurt, failover europe-west4 Amsterdam).
Model: Gemini 2.5 Flash via Vertex AI.
No training: Google does not use your data to train AI models (Google Cloud DPA guarantee).
No US routing: All AI requests stay in the EU.
Art. 50 AI Act transparency: This app uses artificial intelligence. AI outputs may contain errors. You see every AI output before it is inserted.
Legal basis for optional AI use: Art. 6(1)(b) GDPR (contract performance, Pro subscription) or Art. 6(1)(a) GDPR (consent through active mode selection).
11. Newsletter
When you sign up for our newsletter, we process your email address via Brevo (Sendinblue GmbH, Köpenicker Straße 126, 10179 Berlin, Germany). Brevo stores data on EU servers. Signup uses double opt-in — you receive a confirmation email you must click.
Legal basis: Art. 6(1)(a) GDPR (consent). You can withdraw at any time — via the unsubscribe link in every email or by message to marcel@newways.ai.
12. Lead magnets and Instagram DM
When you comment a specific keyword on one of our Instagram posts, our own self-hosted lead-magnet service sends you the requested lead magnet via Instagram DM.
Operator: Newways (Marcel Porcher), Rabestraße 6, 10405 Berlin, Germany.
Server location: self-hosted on a Hostinger VPS in Frankfurt, Germany (Hostinger Operations Ltd., data center "fra"). No third-country transfer.
Data processed: your Instagram handle, the content of your comment (keyword detection) and the standardised lead-magnet DM we send back.
Retention: keyword + IG handle are stored in our own PostgreSQL database for the duration of the campaign plus a maximum of 6 months for statistical analysis, then auto-deleted.
Sub-processor: Hostinger Operations Ltd. as VPS host. DPA: hostinger.com/legal/data-processing-agreement.
Instagram side: The comment itself and all related metadata are processed by Meta/Instagram — outside our control. Instagram privacy policy.
Legal basis: Art. 6(1)(a) GDPR (consent through active keyword-comment action).
13. Email contact
If you contact us by email at marcel@newways.ai, your message including the personal data contained in it is stored to handle your request.
Legal basis: Art. 6(1)(b) GDPR for contract-related communication, otherwise Art. 6(1)(f) GDPR. Retention: 3 years after case closure.
14. Local Mail.app Read for OTP Auto-Detect (v0.7.23+)
When you sign in with email, Voiceit sends you a 6-digit one-time code. Starting with v0.7.23, the app can optionally read this code directly from your macOS Mail.app so you don't have to copy it manually.
Where: the read happens entirely on your Mac via a single AppleScript query against the last 5 minutes of Mail.app inbox messages from sender addresses matching voiceit@, supabase@, or noreply@.
What is read: only the 6-digit code in the email body. Voiceit does not read other email contents, subjects, or sender details beyond the address pattern match.
What is transmitted: nothing. The code stays on your device until you submit it to Supabase Auth to complete sign-in (same path as if you typed it manually).
Permission: the macOS Automation → Mail permission is requested only when you first sign in. You can revoke it at any time in System Settings → Privacy & Security → Automation.
Opt-out: if you decline the permission, sign-in still works — you just copy the code manually as before.
14a. Usage statistics (word count)
To enforce the Free-tier weekly word allowance and to understand how Voiceit is used overall, the app sends a small amount of usage data — a numeric word count linked to your account, never any dictation content — to our backend (Supabase, EU).
What is sent: an aggregate word count (how many words you dictated in the current week), plus basic counters such as the number of AI tasks used this month and the calendar week. These are plain numbers.
What is never sent: the content of your dictation. No transcript text, no audio, and no individual transcripts ever leave your Mac through this path. The number is a count, not the words themselves.
Why: the Free tier includes a weekly word limit, which can only be enforced if the count is stored server-side (otherwise it would reset every time you restart the app). Aggregated across users, these counts also tell us whether the product is useful and where to improve it.
Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operating and improving the service and in enforcing fair-use limits). Balancing test: the data is a pseudonymous numeric count tied to your account id and contains no dictation content; it cannot reveal what you dictated; the impact on your privacy is minimal, while the interest in a working limit and product insight is real.
Retention: the current and previous weekly counters are kept while your account is active and deleted when you delete your account.
Opt-out: because this count is what enforces the Free-tier limit, it cannot be disabled while on the Free tier without removing the limit itself. On a paid tier the weekly word limit does not apply; the count is then used only as a display figure and an account-linked usage signal.
15. Data security (Art. 32 GDPR)
We implement technical and organisational measures (TOMs) to protect your data from loss, manipulation, and unauthorised access — encrypted transmission (TLS), strong authentication, access restrictions, regular security updates. We maintain a full TOM catalogue internally and submit it to the supervisory authority on request.
16. External links
This website includes links to third-party sites. When you click an external link, your IP address, the time, and the previously visited page are in particular transferred to the provider. We are not liable for these third-party contents or their privacy practices. Legal basis: Art. 6(1)(f) GDPR.
17. Changes to this policy
We will update this document and bump the version number above whenever material changes are made. Significant changes (new sub-processors, new categories of data, changes affecting your rights) will be announced inside the app and, for account holders, by email. Current version: v1.5, 28 June 2026.
As of: 28 June 2026 · Version v1.5